Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/Windows SMB Client Vulnerability Enables Attacker to Own Active Directory
CyberSecurity News

Windows SMB Client Vulnerability Enables Attacker to Own Active Directory

A critical vulnerability has been identified in Windows SMB client authentication, enabling attackers to compromise Active Directory environments through NTLM reflection exploitation. Classified as...

Marcus Rodriguez
Marcus Rodriguez
January 19, 2026 3 Min Read
32 0

A critical vulnerability has been identified in Windows SMB client authentication, enabling attackers to compromise Active Directory environments through NTLM reflection exploitation.

Classified as an improper access control vulnerability, this vulnerability allows authorized attackers to escalate privileges via carefully orchestrated authentication relay attacks over network connections.

Seven months after the June 2025 security patch release, research reveals widespread non-adoption across enterprise infrastructure.

Vulnerable hosts are identified on nearly every penetration test engagement across domain controllers, tier-zero servers, and workstations. The vulnerability exploits a fundamental mechanism in Windows NTLM local authentication.

Successful SMB Relay With Flaw
Successful SMB Relay With Flaw

When a client receives an NTLM_CHALLENGE message marked for local authentication, the system creates a context object and inserts a context ID into the Reserved field.

This mechanism, combined with coercion techniques such as PetitPotam, DFSCoerce, and Printerbug, forces lsass.exe (running as SYSTEM) to authenticate to attacker-controlled servers.

Aspect Details
CVE Identifier CVE-2025-33073
Vulnerability Type NTLM Reflection / Privilege Escalation
Attack Vector Network (Coercion + Authentication Relay)
Patch Release June 2025 Windows Updates
Primary Impact Complete Active Directory Compromise
Current Status Widely unpatched in enterprise environments

The server then impersonates the SYSTEM token for subsequent operations, effectively granting full system compromise.

Attack Requirements and Exploitation Pathways

Exploitation requires either registering a malicious DNS record in AD DNS (allowed for Authenticated Users by default) or performing DNS poisoning within the local network.

 Successful SMB LDAPS Reflection
 Successful SMB LDAPS Reflection (Source: DepthSecurity)

These low-privilege requirements fundamentally increase the attack surface, as most organizations have not restricted Authenticated Users from creating arbitrary DNS records in AD DNS zones.

Traditional mitigations prove insufficient against advanced exploitation vectors.

While SMB signing typically prevents relay attacks, research demonstrates successful cross-protocol relays from SMB to LDAPS with signing and channel binding enforced.

This bypass involves stripping specific NTLMSSP flags (Negotiate Always Sign, Negotiate Seal, Negotiate Sign) while preserving the Message Integrity Code. This technique enables attackers to bypass multiple security controls simultaneously.

Expanded Attack Surface Beyond SMB Signing

The vulnerability extends beyond conventional SMB-to-SMB relays. DepthSecurity researchers confirmed successful attacks against ADCS enrollment services, MSSQL databases, and WinRMS through cross-protocol relay techniques.

Even more concerning, SMB-to-LDAPS reflection attacks allow attackers to manipulate Active Directory objects with SYSTEM privileges directly.

Enabling group membership modification and credential harvesting through DCSync operations.

RPC-based relay attempts revealed session key encryption requirements similar to those of SMB signing, demonstrating that fundamental Windows authentication mechanisms compound the vulnerability’s impact.

RPC Reflection Authentication
RPC Reflection Authentication (Source: DepthSecurity)

Attackers successfully authenticate to RPC services but encounter access controls on subsequent operations, suggesting potential avenues for exploitation via Net-NTLMv1 authentication.

According to DepthSecurity, organizations must immediately apply June 2025 Windows security updates as the primary mitigation. Additionally, enable signing and channel binding enforcement across all protocols, not limited to SMB.

SMB Relay with Signing
SMB Relay with Signing (Source: DepthSecurity)

Reconfiguring Active Directory DNS zone access control lists to restrict Authenticated Users from creating DNS records significantly reduces the feasibility of exploitation.

Security teams must prioritize the swift patching of NTLM coercion techniques and perform thorough audits of NTLM relay attack methods throughout their infrastructure.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

CrashFix – Hackers Using Malicious Extensions to Display Fake Browser Warnings

Next Post

Researchers Gained Access to Hacker Domain Server Using Name Server Delegation

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us